chore: ensure downloaded slim binary version matches server #211
+53
−9
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Not directly related but @jdomeracki-coder should we also implement binary verification in Coderd Desktop? cc: @deansheather |
929c831 to
262c4d1
Compare
|
|
||
| let version: String | ||
| do { | ||
| let versionOutput = try await Subprocess.data(for: [binaryPath.path, "version", "--output=json"]) |
There was a problem hiding this comment.
Any way to drop privileges for this subprocess? We are root after all...
There was a problem hiding this comment.
This is possible with a combination of launchctl asuser <uid> and sudo -u [<uid>|<username>]:
sudo -u '#501' launchctl asuser 501 /usr/bin/whoami
One switches the UID, the other the (macOS specific) execution context.
Unfortunately,
$ sudo -u nobody launchctl asuser -2 /usr/bin/whoami
Could not switch to audit session 0x187c3: 1: Operation not permitted
does not work, and so we'd need to determine the currently logged in user in some other way.
501 is the first created user on the machine, and on corporate devices this will likely be some admin user.
There was a problem hiding this comment.
It's fine to execute it as root if it's too difficult, the signature is still ours so the risk is small
e9e15db to
c7602c2
Compare
262c4d1 to
a7b16ea
Compare
c7602c2 to
f008801
Compare
a7b16ea to
9695afe
Compare
f008801 to
847006f
Compare
c229789 to
a723a9a
Compare
847006f to
d9255bc
Compare
a723a9a to
ffe7d2e
Compare
d9255bc to
4f29ff3
Compare
ffe7d2e to
ab9ca27
Compare
4f29ff3 to
5840bce
Compare
ab9ca27 to
50e4a63
Compare
5840bce to
3f7f6b6
Compare
deansheather
approved these changes
Aug 4, 2025
50e4a63 to
8fb9382
Compare
3f7f6b6 to
42b8f0b
Compare
8fb9382 to
431149f
Compare
42b8f0b to
b716554
Compare
b716554 to
02b3369
Compare
431149f to
8fceeab
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR enhances the security validation of downloaded Coder CLI binaries by adding version validation and strengthening certificate chain verification. The changes prevent downgrade attacks by ensuring the downloaded binary version matches the server version, and add explicit Apple certificate chain validation.
Key changes:
- Split validation into separate signature and version validation functions
- Add binary version validation by executing
coder version --output=json - Strengthen certificate validation to require Apple-issued certificate chain
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| Coder-Desktop/VPNLib/Validate.swift | Refactors validation logic, adds version validation function, and enhances certificate chain requirements |
| Coder-Desktop/Coder-DesktopHelper/Manager.swift | Updates to use new two-step validation process (signature then version) |
02b3369 to
a4bbf6b
Compare
8fceeab to
62c3d0a
Compare
Merge activity
|
62c3d0a to
7c6b9a7
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Relates to #201.
After we've validated the binary signature, we exec
coder version --output=jsonto validate the version of the downloaded binary matches the server. This is done to prevent against downgrade attacks, and to match the checking we had on the dylib before.Additionally, this PR also ensures the certificate used to sign the binary is part of an Apple-issued certificate chain.
I assumed we were checking this before (by default) but we weren't.
Though we weren't previously checking it, we were only ever downloading and executing a dylib.
My understanding is that macOS won't execute a dylib unless the executing process and the dylib were signed by the same Apple developer team (at least in a sandboxed process, as is the Network Extension).
Only now, when
posix_spawning the slim binary from an unsandboxed LaunchDaemon, is this check absolutely necessary.